Botnets and the Deep Web

A bot is a special form of malware that is considered one of today’s most sophisticated tools of cybercrime. They enable hackers to control a large number of computers simultaneously, and turn them into an army of “zombie” machines, that operate collectively as a powerful “botnet” to create spam, and commit various forms of malicious activities.

What is a botnet?

A botnet is usually comprised of a large number of infected victim machines located across various parts of the globe. Given the fact that botnet infected machines will perform the computational operations ordered by its master, these victim machines are sometimes referred to as “zombies”. The hacker that controls these botnets is known as a botmaster or a botherder.

Some botnets are composed of a few hundred or a few thousands of victim machines, while others may reach up to 500,000 of zombies at the disposal of their botmasters. In most cases, the victim won’t even known that his/her machine is infected with a bot. Some possible manifestations of a bot infection include slowing down of your computer, display of strange messages or even total crash of your machine.

Bots are usually silently installed on victims’ machines via a number of ways. They spread across the internet via seeking and infecting unprotected, vulnerable machines. After infecting a vulnerable machine, the bot reports back to the botmaster the IP address of the victim. The aim is for the bots to remain quiescent until ordered to carry out a specific task by their botmaster at a specific time in the future. After a computer is enslaved by a bot, it becomes part of the botherder’s botnet network and can be used by him/her to carry out a myriad of tasks including:

1. Sending spam email, viruses and spyware.

2. Phishing of private and personal information and sending it back to the botmaster including credit card numbers, bank account data and other forms of private personal information.

3. DDoS (Distributed Denial of Service) attacks. Planning DDoS attacks can be facilitated by botnets against a predefined target. Black hat hackers blackmail website owners, via DDoS attacks to extort money from them, in exchange for cessation of the attack and giving the owners control back over their websites. However, DDoS attacks are often launched against individuals’ PCs, or other forms of machines connecting to the internet via targeting their IP addresses. The botmaster will order all enslaved machines, i.e. machines infected by the bots, to go to the website at the same time to launch a DDoS attack.

4. Click Fraud: Botmasters can use bots to direct the victim machines to pay per click (PPC) ads as the bots deceivingly impersonate real internet users, so the botmaster can make a large amount of money, especially if he/she manages to control a large number of machines via the bot.

5. Mining cryptocurrency: botmasters can code their botnets to mine bitcoin or altcoins. In 2015, uTorrent, the most widely used bittorrent client, was found to silently install a bot that mined bitcoin. Back then, uTorrent users experienced marked slowing down of their PCs, as bitcoin mining utilizes enormous processing power.

Botnets and the Deep Web:

A botmaster has to carefully hide the Command and Control servers (CC) of his/her botnet and network traffic from and to these servers to avoid discovery and/or takeover of the malicious structure of the botnet. Nowadays, most botmasters choose to conceal their Command and Control servers on the Tor network. The following represent the advantages of botnets based on the Tor network:

High availability and low down times of authenticated hidden Tor services.

Reasonable availability of private Tor networks.

Exit node flooding capabilities.

Traffic analysis is usually done by Law Enforcement Agencies (LEAs) to detect various activities related to botnets and pinpoint their CC servers. Practically speaking, this is done via utilizing network analyzers and Intrusion Detection Systems. Once detected, LEAs have various options to eradicate a botnet:

Blocking the IP addresses of the CC server.

Cleaning the server used to host the botnet and other compromised hosts.

Revoking domain name(s).

De-peering of the hosting provider.

The botnet traffic is redirected to the CC server via the Tor network which encrypts it, rendering the analysis harder to accomplish. There are 2 botnet models based on the Tor network:

Tor2Web Proxy Based Botnet Model:

The routing procedure redirects .onion internet traffic via Tor2Web proxy. The bot connects to the Tor hidden service via the Tor2Web proxy which points to an onion domain that hosts the CC server.

Proxy-aware Malware Via the Tor Network:

This model utilizes the proxy-aware malware. As the Tor2Web service is not used, the bot has to execute the Tor clients on the victim hosts. Bots have to have SOCK55 support in order to be able to reach onion addresses on the Tor network via running Tor on infected machines.